The GDPR agrees on a number of data subject rights. One of these is “the right to erasure,” often referred to as the “the right to be forgotten”. This means organizations are obligated to delete data belonging to a data subject under certain circumstances if the data subject requests this. However, this demand does not always need to be recognized.
This particular area of the regulation seems to be attracting an awful lot of the attention lately and many are debating it.
What is the right to erasure?
GDPR Article 17 specifies the data subject’s right to erasure. It is the right that the data subject has to request the erasure of personal information under certain circumstances. It enables the ability to have personal data deleted.
The article outlines the circumstances under which the right can be exercised:
- The data is no longer necessary to serve the purposes for which it was originally processed.
- The data subject withdraws consent for the processing of their data.
- The data subject objects, rightfully, to the processing of their data and there are no legitimate grounds for it to continue.
- It must be erased for compliance with a legal and EU obligation.
- It is being unlawfully processed.
Organizations are not required to comply if the processing is:
- Necessary for exercising the right of freedom of expression and information.
- For use in legal claims.
- For complying with legal obligations.
- In the public interest.
- For archiving for historical or scientific and statistical reasons.
Europe has this right…right?
The GDPR’s purpose is not to inflict harm or to damage businesses (although many feel distressed about it right now) or to jeopardize the interests and rights of the wider public. It is to ensure that people’s personal data and privacy is protected and that no one (even the largest of organizations) is in a position to bully anyone or take advantage of people’s data in any way. It is giving people the power to maintain their privacy. (The Cambridge Analytica Facebook scandal is a perfect example of why the GDPR is important). This right to erasure is an important part of the privacy framework.
Google is a prime example of the bearing of this right in particular. Google has already faced court actions relating to the right to be forgotten. Between 2014 and 2017, Google says it has received under right to be forgotten requests to delist 2.4 million URLs from searches, primarily relating to personal information and legal history. Individuals can ask to have a page delisted if it is inaccurate, inadequate, irrelevant, or excessive.
There is a concern about getting the balance right. The people’s right to privacy needs to be protected (hence the GDPR) but some are concerned that if the correct balance is not achieved, the regulation may negatively impact the flow of information and impact the wider public’s right to know and be informed.
Having said that, the regulation does take into account public interests and the requirement for freedom of speech, thus putting measures in place to avoid these situations (take a quick look once again at the exceptions to the rule when an organization is not obliged to comply with the right).
Some believe the right to erasure is spot-on
A digital presence is now a central part of most of our personal and professional lives and the information posted online is vast and is difficult to remove. It may be a photo (that in hindsight should never have been taken, let alone have been posted in public view), a video (which you thought was cool at the time…not so anymore), a status update (maybe now considered inappropriate), a criminal conviction, or a questionable encounter with the law. All these things from the past can impact one’s future.
This information is often exploited for the benefit of others and mostly without the person’s consent and often without them even knowing that it is happening.
Any EU citizen has the right to request that any organization erase their personal data. This includes search engines. Individuals can request that they delist results to content that’s considered inaccurate, irrelevant, or excessive. Information that was once relevant and accurate will not always be. If it is not in the interest of the public (or law) to keep it in public view an available, people should be allowed to request that it is removed.
Young people and children do silly things. (This is true for some “not so young” people, too.) The ability to be able to request that childhood slipups (that have caused no harm to others, only the embarrassment to the person it pertains to) be removed from the digital world that may have otherwise, without the regulation, remained to haunt that person (and those around them) into adulthood and beyond is a good thing!
People have always made mistakes, only now it is all digitized and immortalized — posted on social media and on the Internet (always just a click away). No matter how often kids are advised to be mindful of what they post, at the time it seems fun and OK and they still do it! I suppose it can be attributed to being young and unaware of the later consequences and for this reason, the chance of a second chance (by having the ability to have it removed) — is good! It will have a beneficial impact on the person the content pertains to and no negative effect on the public.
Information should always be accurate and the ability to have information corrected has great benefits for everyone.
The right has been introduced for the correct reasons to support personal privacy by removing outdated, inaccurate, or irrelevant information and it is necessary for this advanced digital age.
But others don’t think it’s great at all
On the flipside, some believe that the right to erasure will be the end of the Internet as we know it and the demise of freedom of speech. Some believe it will empower the wrong entities to curtail a free press as this depends on links, references, and sources.
Critics suggest that the removal of links to information on the Internet will disrupt free expression by altering search results and will negatively impact the circulation of pertinent, quality news, and information. It’s also suggested that the right will disrupt the archival history of digital information.
Then there are concerns relating to the potential removal of information in error (that should have remained in public view) that could result in people getting hurt.
Some question how the right can be properly monitored and controlled — especially, since it’s an EU right and information travels. Organizations are global.
Achieving the right balance
This is why the balance is important. The GDPR calls for a balance between the right to erasure and other interests (including public interests) to avoid negative impacts.
People can finally take back their right to privacy. However, if the balance is not achieved we may find truthful information being censored if others disagree or if the wrong people are empowered to delist information from public scrutiny or censor content.
There is some tension with regards to the impact that the right to be forgotten may have on the public’s right to know or to be informed. We need to be very careful that when the right is fulfilled to remove the pertinent information without hampering public record.
The right to be forgotten has gotten people interested in privacy on the Internet and is allowing the consumer to take control and be a part of the process to minimize damages associated with the publicity of inaccurate or outdated information.
However, the regulation makes sure that this right to erasure is kept in context with the broader privacy framework by putting criteria in place for the secure and lawful collection, sharing, and processing of personal information.
The regulation has many elements designed to control how European data is handled outside of the EU. Data does travel. For this reason, the EU has assured that any data on an EU citizen remain in the EU unless consent has been given for the data to be processed elsewhere. The country is required to abide by the GDPR. Some destinations are marked as “meeting the adequacy” requirements by the EU, as the country meets a set of criteria in law and data can travel to those countries provided they abide by the GDPR. However, many countries do not meet the requirement of “adequacy” as they do not have a data protection law or if they do it is not acceptable (by EU standards) and special arrangements need to be made in these cases.
The balance is fundamental and the success of this right and the regulation in its entirety will hinge on the ability to defend the right to erasure and other rights not only in the EU but across borders (globally) to make sure things are working as they should.
Right to erasure is needed to protect privacy in this digital age
Some large entities know individuals better than they know themselves because of how they (and we) handle people’s data. Privacy is important and should be protected. However, the freedom to speak and express oneself is also important along with the ability to know and be informed of accurate, truthful, and factual information (this is required for the good of the wider public).
People’s pasts do impact how they live today and their future prospects. It is difficult to remove data once posted online. It is important that in this digital age (where everything is recorded, monitored, and tracked) we can have the ability to move on from our pasts (within the law and without impacting public interest) and should not be disadvantaged unnecessarily.
All information should be accurate, some information should be allowed to be removed, and other information should remain public. We need to assess the public interest against the individual’s right to privacy, at all times, to achieve the correct balance.
The right has been put in place for honorable reasons along with measures to avoid negative impacts. It supports both personal privacy and public interest. It’s still in the early days, so we’ll have to wait to see how it all unfolds.
Photo credit: Pixabay
More GDPR Preparation articles
- Personal information under GDPR: What it is — and what it isn’t
- The 6 GDPR privacy principles you must know — now
- GDPR and retailers: A forced opportunity to turn data into gold
- The clock is ticking: Is your business ready for GDPR compliance?
- Your 7 step guide to making GDPR compliance a little more manageable